Karen Scarfone

Karen is dedicated to helping federal agencies and others communicate technical cybersecurity info to external and internal audiences. Karen founded her company on the belief that security professionals will continue to fall behind attackers until we become more adept at communication.

Karen was formerly a Senior Computer Scientist at NIST, where she developed security publications for federal agencies and the public. She holds master's degrees in computer science and technical writing, and she's worked in IT for over 30 years.

Karen Scarfone's Publications and Blog

Here are links to my online publications and blog posts! Sign up to get a weekly email update when I release a new pub or blog post.

NIST • 16th November 2023

SP 800-221A, Information and Communications Technology Risk Outcomes

Information and Communications Technology (ICT) spans all tools, devices, data, infrastructure, and components and it’s a broad concept that continues to evolve. This publication provides desired outcomes and applicable references common across all types of ICT risk; it offers a common language for understanding, managing, and expressing ICT risk to internal and external stakeholders and can help identify and prioritize actions to reduce ICT risk. The core of this publication can be browsed and downloaded in popular formats such as JSON and Excel using the NIST Cybersecurity and Privacy Tool (CPRT).

NIST • 16th November 2023

SP 800-221, Enterprise Impact of Information and Communications Technology Risk

Information and Communications Technology (ICT) spans all tools, devices, data, infrastructure, and components and it’s a broad concept that continues to evolve. This publication helps in understanding the relationship between ICT risk management and ERM—and the benefits of integrating those approaches. This includes ICT risk guidance on how all ICT risk programs, including individual programs such as privacy, supply chain, and cybersecurity, integrate into ERM.

NIST • 14th November 2023

Data Classification Concepts and Considerations for Improving Data Protection

Data classification is the process an organization uses to characterize its data assets using persistent labels so those assets can be managed properly. This publication defines basic terminology and explains fundamental concepts in data classification so there is a common language for all to use. It can also help organizations improve the quality and efficiency of their data protection approaches by becoming more aware of data classification considerations and taking them into account in business and mission use cases, such as secure data sharing, compliance reporting and monitoring, ZTA, and LLMs.

FedTech • 17th October 2023

Improved Cybersecurity Logging Gives Agencies Better Network Visibility

Each agency should use logging in conjunction with various tools for finding vulnerabilities on each of its IP network-connected technology assets, including missing patches, outdated software versions in need of upgrading, and misconfigured software and services. Most agencies will need to use several tools in combination to achieve the necessary visibility for all of their assets, no matter where each asset is located at any time. Let’s take a closer look at some of these tools.

NIST • 11th October 2023

Draft SP 800-92r1, Cybersecurity Log Management Planning Guide

This document defines a playbook to help any organization plan improvements to its cybersecurity log management practices in support of regulatory requirements and recommended practices. While the playbook is not comprehensive, the listed plays are noteworthy and generally beneficial for cybersecurity log management planning by organizations.

TechTarget • 28th September 2023

How to Develop a Cybersecurity Strategy: Step-by-Step Guide

A cybersecurity strategy isn't meant to be perfect, but it must be proactive, effective, actively supported and evolving. Here are the four steps required to get there.

TechTarget • 26th September 2023

3 phases of the third-party risk management lifecycle

Supply chain vulnerabilities in services can be managed with a third-party risk management program, of which the third-party management lifecycle is key. This lifecycle is composed of three phases: before the contract, during the contract and contract termination. Let's examine each phase, as well as steps to take during each phase to better manage risk.

NIST • 17th August 2023

Developing Cybersecurity and Privacy Concept Mappings

NIST Internal Report (IR) 8477 ipd, Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings, explains NIST’s proposed approach for identifying and documenting relationships between concepts such as controls, requirements, recommendations, outcomes, technologies, functions, processes, techniques, roles, and skills.

NIST • 8th August 2023

NIST Cybersecurity Framework 2.0 Draft

NIST has released a Draft of The NIST Cybersecurity Framework (CSF) 2.0 for public comment! This draft represents a major update to the CSF—a resource first released in 2014 to help organizations reduce cybersecurity risk. The draft update reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice for all organizations.

TechTarget • 4th August 2023

8 vulnerability management tools to consider in 2023

Once an organization implements a vulnerability management program, the next step is providing the program's team with powerful vulnerability management tools to automate as many tasks as possible. Evaluate these eight open source and vendor-supported vulnerability management tools.

EdTech • 1st August 2023

Setting Up a Secure Multifactor Authentication Solution

Attackers frequently target authentication solutions, including MFA services, and a poorly secured MFA implementation can provide a way for an attacker to compromise many accounts at once. You can take the following steps to help ensure that your university’s MFA solution is properly secured — and stays that way.

FedTech • 7th July 2023

Take These Steps to Plan for Ransomware Attacks

Take advantage of these lessons learned to protect your agency’s systems and data.

TechTarget • 20th June 2023

Blockchain security: Everything you should know for safe use

Despite its reputation, blockchain is subject to many of the same vulnerabilities as other software. It helps to have a clear idea of its inherent strengths and weaknesses.

TechTarget • 25th May 2023

Smart contract benefits and best practices for security

While smart contracts promise enormous benefits in the enterprise, they also present opportunities for cybercriminals. Explore best practices to keep them secure.

NIST • 17th May 2023

SP 800-124 Revision 2, Guidelines for Managing the Security of Mobile Devices in the Enterprise

This publication assists organizations in managing and securing mobile devices against the ever-evolving threats. To address these threats, this publication describes technologies and strategies that can be used as countermeasures and mitigations.

TechTarget • 16th May 2023

How to build a better vulnerability management program

Let's look at how to improve your organization's vulnerability management, whether it already has a vulnerability management program or is thinking about starting one. The following five steps are key to building a better vulnerability management program.

Cybersecurity Guide • 12th May 2023

An interview with Karen Scarfone

On today’s show our guest is Karen Scarfone. She’s the principal consultant for Scarfone Cybersecurity in Clinton, Virginia. We’re going to be talking about small businesses and cybersecurity.

NIST • 3rd May 2023

SP 1800-36 (Draft), Trusted IoT Device Network-Layer Onboarding and LC Management

Trusted network-layer onboarding, in combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement could improve the security of networks and IoT devices.

NIST • 25th April 2023

Implementing Data Classification Practices

The NCCoE is collaborating with technology providers to build several example data classification solutions and demonstrate their ability to meet organizational data classification needs. The project’s objective is to define product-agnostic recommended practices for defining data classification schemes and communicating them to others.

TechTarget • 19th April 2023

Top 7 Data Loss Prevention Tools for 2023

Some DLP tools encompass the entire organization -- and these are the focus of this article. First let's discuss some must-have features and capabilities. Then, take a close look at seven enterprise DLP tools for the information needed when evaluating the best product for your company's needs.

Cybersecurity Guide • 18th April 2023

NIST and small business cybersecurity

This guide provides an overview of the existing free resources and the latest programs for small business cybersecurity from NIST.

TechTarget • 17th April 2023

How to build a cybersecurity deception program

To build a cybersecurity deception program, security leaders need a thoughtful and strategic approach. Consider the following best practices.

TechTarget • 11th April 2023

Centralized vs. decentralized identity management explained

Learn about centralized vs. decentralized identity management, as well as the advantages and disadvantages of each, from two viewpoints: organizations that want to verify user identities and individuals that want to access organizations' resources and services.

Blog • 24th March 2023

Cyber Guidance for Small Businesses

How can the security community better bridge the gaps between Big Guidance and small business?

Load More